Device Groups in this Use Case

DG_BranchAndRegional for grouping firewalls that serve
as the security gateways at the branch offices and at the regional
head offices. We placed the branch office firewalls and the regional office
firewalls in the same device group because firewalls with similar
functions will require similar policy rulebases.

DG_DataCenter for grouping the firewalls that secure the
servers at the data centers.

We can then administer shared policy rules across both device
groups as well as administer distinct device group rules for the
regional office and branch office groups. Then for added flexibility,
the local administrator at a regional or branch office can create
local rules that match specific source, destination, and service
flows for accessing applications and services that are required
for that office. In this example, we create the following hierarchy
for security rules. you can use a similar approach for any of the
other rulebases.